Closed terrypacker closed 4 years ago
Closing this as password strength is enforced, and opening new issue #987
Password strength is not enforced, the new UI has a client side restriction of minimum 8 characters but that is it. We should check the password strength in the user validation and provide a system setting to enable different password complexities.
What're we thinking, the regular boolean must contain numbers, capitals, symbols sort of thing + minimum length or let them put in their own regex to validate passwords against?
Alarm raised completed in #987
This looks like a good candidate for a library: https://github.com/vt-middleware/passay
I'm against the regex plan because it doesn't help with the dictionary of common words that would normally be rejected in passwords.
Figure out #907 at the same time?
This was partially implemented in 53465f5187b655a02b22fbd09d81dd3d8882aebc
There is now a 8 character minimum password length and password expiration settings in system settings.
Also #907 is handled by the above referenced commit. We are using Passay's LengthRule of >=8 and <=255.
The plan is to create a system setting drop down to choose the most common password restriction configurations.
Use a setting for minimum length and a drop down that lets you select a minimum required character set - • Alphabet only • Alpha-numeric • Alpha-numeric-symbol • Require upper and lower case
Actually may as well allow for them to set any number of characters for each character type, easy enough to do. Store settings as JSON perhaps-
{
length: {
min: 8,
max: 64
},
characters: {
upperCase: 1,
lowerCase: 1,
digit: 1,
special: 1
}
}
Another option is
{
rules:[
{type: 'UPPER_CASE'},
{type: 'LENGTH', min: 8, max: 64},
{type: 'LOWER_CASE},
...
]
}
Requiring passwords with digits or punctuation and mixed case has made them harder to remember, but not more secure than longer passwords. The classic case is made in XKCD: Password Strength. A minimum length requirement with a dictionary check would be much more secure; or let the administrator choose their own policy.
Perhaps something like this Nbvcxz - Password strength estimator could be used. It includes word lists and common dates with fuzzy matching. I have not vetted it, but it had a high search result rank. The password check should occur on new password entry and also on login, in the case where a new password policy was implemented. Otherwise existing users could continue using weak passwords. Retroactive enforcement may require a time stamp on the password policy and on each user, or always checking every login.
Login failures are already logged. They should also increment a counter and raise an alarm, and perhaps a cooling off timeout period to limit the password retry rate. By default, less than 3 seconds between passwords should be assumed to be a robot, and should not be allowed.
@resotek as of Mango 3.6 we have implemented rate limiting for authentication attempts, this is configured in the env properties.
The commit to fix up the validation 5168acdf30227070988662a928e3647d147550a3
UI for password complexity system settings was added in infiniteautomation/ma-dashboards@e3518c021d61d79da0856512d5a18ce9f6c33965
@jazdw The validation messages are not working properly. There is nothing displayed on the form and the toast at the bottom only displays the 1st validation message. Here is the 422 response when multiple rules have been violated:
{
"cause" : null,
"result" : {
"messages" : [ {
"level" : "ERROR",
"message" : "Password must contain 2 or more uppercase characters",
"property" : "password"
}, {
"level" : "ERROR",
"message" : "Password must contain 1 or more digit characters",
"property" : "password"
}, {
"level" : "ERROR",
"message" : "Password must contain 1 or more special characters",
"property" : "password"
}, {
"level" : "ERROR",
"message" : "You cannot use the same password twice in a row",
"property" : "password"
} ]
},
"mangoStatusCode" : 4002,
"mangoStatusName" : "VALIDATION_FAILED",
"localizedMessage" : "Validation failed"
}
We never display more than one validation message at a time.
The message was not showing up under the input due to our change from v1 to v2 endpoint. The component was looking for the validation messages in the wrong property of the returned data.
@terrypacker Happy to close this one now?
Yes